Item13548: Setting certain preference settings can break things. Protect more settings with FINAL by default.
Priority: Security
Current State: Closed
Released In: n/a
Target Release: n/a
Applies To: Engine
Component:
Branches: master
Item13525
Repo
Add the result of the following command into any topic: by editing or by comment text-area,
find $FWROOT/data/System -name Var\* -print | perl -pE 's:.*/Var(\w+)\.txt: * Set $1 =:'
e.g. you will get as bellow (of course without the #x marks).
This effectively turns the topic into something what isn't easily reversible by standard wiki-tools. At least for common users.
- #xSet ACTIVATEDPLUGINS =
- #xSet ADDTOHEAD =
- #xSet ADDTOZONE =
- #xSet ALLVARIABLES =
- #xSet ATTACHURL =
- #xSet ATTACHURLPATH =
- #xSet AUTHREALM =
- #xSet BASETOPIC =
- #xSet BASEWEB =
- #xSet BUTTON =
- #xSet CALC =
- #xSet CALCULATE =
- #xSet COMMENT =
- #xSet COVER =
- #xSet DATE =
- #xSet DISPLAYTIME =
- #xSet ENCODE =
- #xSet ENDCOLOR =
- #xSet ENDINCLUDE =
- #xSet ENDSECTION =
- #xSet ENDTAB =
- #xSet ENDTABPANE =
- #xSet ENDTWISTY =
- #xSet ENDTWISTYTOGGLE =
- #xSet ENV =
- #xSet EXAMPLETAG =
- #xSet EXPAND =
- #xSet FAILEDPLUGINS =
- #xSet FORMAT =
- #xSet FORMFIELD =
- #xSet GMTIME =
- #xSet GROUPINFO =
- #xSet GROUPS =
- #xSet HISTORY =
- #xSet HOMETOPIC =
- #xSet HTTP =
- #xSet HTTPHOST =
- #xSet HTTPS =
- #xSet ICON =
- #xSet ICONURL =
- #xSet ICONURLPATH =
- #xSet IF =
- #xSet INCLUDE =
- #xSet INCLUDINGTOPIC =
- #xSet INCLUDINGWEB =
- #xSet JQICON =
- #xSet JQICONPATH =
- #xSet JQPLUGINS =
- #xSet JQREQUIRE =
- #xSet JQTHEME =
- #xSet LANG =
- #xSet LANGUAGE =
- #xSet LANGUAGES =
- #xSet LOCALSITEPREFS =
- #xSet LOGIN =
- #xSet LOGOUT =
- #xSet MAINWEB =
- #xSet MAKETEXT =
- #xSet META =
- #xSet METASEARCH =
- #xSet NONCE =
- #xSet NOP =
- #xSet NOTIFYTOPIC =
- #xSet PERLDEPENDENCYREPORT =
- #xSet PLUGINDESCRIPTIONS =
- #xSet PLUGINVERSION =
- #xSet POPUPWINDOW =
- #xSet PUBURL =
- #xSet PUBURLPATH =
- #xSet QUERY =
- #xSet QUERYPARAMS =
- #xSet QUERYSTRING =
- #xSet REMOTEADDR =
- #xSet REMOTEPORT =
- #xSet REMOTEUSER =
- #xSet RENDERLIST =
- #xSet RENDERZONE =
- #xSet REVARG =
- #xSet REVINFO =
- #xSet REVTITLE =
- #xSet SCRIPTNAME =
- #xSet SCRIPTSUFFIX =
- #xSet SCRIPTURL =
- #xSet SCRIPTURLPATH =
- #xSet SEARCH =
- #xSet SERVERINFORMATION =
- #xSet SERVERTIME =
- #xSet SESSIONID =
- #xSet SESSIONVAR =
- #xSet SESSIONVARIABLE =
- #xSet SET =
- #xSet SHOWPREFERENCE =
- #xSet SKIN =
- #xSet SLIDESHOWEND =
- #xSet SLIDESHOWSTART =
- #xSet SPACEDTOPIC =
- #xSet SPACEOUT =
- #xSet STARTINCLUDE =
- #xSet STARTSECTION =
- #xSet STATISTICSTOPIC =
- #xSet STOPINCLUDE =
- #xSet STOPSECTION =
- #xSet SUBSCRIBE =
- #xSet SYSTEMWEB =
- #xSet TAB =
- #xSet TABLE =
- #xSet TABPANE =
- #xSet TOC =
- #xSet TOPIC =
- #xSet TOPICLIST =
- #xSet TWIKIWEB =
- #xSet TWISTY =
- #xSet TWISTYBUTTON =
- #xSet TWISTYHIDE =
- #xSet TWISTYSHOW =
- #xSet TWISTYTOGGLE =
- #xSet URLPARAM =
- #xSet USERINFO =
- #xSet USERNAME =
- #xSet USERSWEB =
- #xSet VAR =
- #xSet WEB =
- #xSet WEBLIST =
- #xSet WEBPREFSTOPIC =
- #xSet WIKIHOMEURL =
- #xSet WIKINAME =
- #xSet WIKIPREFSTOPIC =
- #xSet WIKITOOLNAME =
- #xSet WIKIUSERNAME =
- #xSet WIKIUSERSTOPIC =
- #xSet WIKIVERSION =
- #xSet WIKIWEBMASTER =
- #xSet WIKIWEBMASTERNAME =
--
JozefMojzis - 21 Jul 2015
Confirmed. It completely breaks admin only tools. like delRev and repRev. If it's one or two variables that break things, maybe setting them in FINAL would get around this.
--
GeorgeClark - 21 Jul 2015
The following patch prevents the DOS:
diff --git a/core/data/Main/SitePreferences.txt b/core/data/Main/SitePreferences.txt
index fd6efd4..99e2ad2 100644
--- a/core/data/Main/SitePreferences.txt
+++ b/core/data/Main/SitePreferences.txt
@@ -39,8 +39,7 @@ Customize your top bar background image and color
---++ Finalisation
=FINALPREFERENCES= locks site-level preferences that are *not* allowed to be overridden by [[%WEBPREFSTOPIC%]] or user preferences:
- * Set FINALPREFERENCES = ATTACHFILESIZELIMIT, PREVIEWBGIMAGE, WIKITOOLNAME, WIKIHOMEURL, ALLOWROOTCHANGE, DENYROOTCHANGE, USERSWEB, SYSTEMWEB, DOCWEB
-
+ * Set FINALPREFERENCES = ATTACHFILESIZELIMIT, PREVIEWBGIMAGE, WIKITOOLNAME, WIKIHOMEURL, ALLOWROOTCHANGE, DENYROOTCHANGE, DOCWEB
<!-- Keep this as a security measure:
diff --git a/core/data/System/DefaultPreferences.txt b/core/data/System/DefaultPreferences.txt
index d764ce6..1e8c416 100644
--- a/core/data/System/DefaultPreferences.txt
+++ b/core/data/System/DefaultPreferences.txt
@@ -459,7 +459,9 @@ You can introduce new [[PreferenceSettings][preference settings]] and use them i
The following macros are declared final to protect them as read only. These are system macros that should
never be attempted set or altered in any preference topic or topic settings.
- * Set FINALPREFERENCES = WEB, TOPIC
+ * Set FINALPREFERENCES = WEB, TOPIC, BASEWEB, BASETOPIC, ENCODE, ENV, IF, QUERYPARAMS, QUERYSTRING, URLENCODE, URLPARAM, SCRIPTURL, SCRIPTURLPATH, SCRIPTSUFFIX, ATTACHURL, ATTACHURLPATH, PUBURL, PUBURLPATH, USERSWEB, SYSTEMWEB, SANDBOXWEB, MAKETEXT, GMTIME
---++ Related Topics
--
GeorgeClark - 23 Jul 2015